Ivanti discloses fifth vulnerability, doesn’t credit researchers who found it – Source: go.theregister.com

In disclosing yet another vulnerability in its Connect Secure, Policy Secure, and ZTA gateways, Ivanti has confused the third-party researchers who discovered it.

Researchers at watchTowr blogged today about not being credited with the discovery of CVE-2024-22024 – the latest in a series of vulnerabilities affecting Ivanti gateways as the vendor continues to develop patches for supported versions.

The high-severity authentication bypass flaw only affects a limited number of supported versions, unlike the zero-days that came before it, and, according to Ivanti, it was discovered in-house.

“As part of the ongoing investigation, we discovered a new vulnerability as part of our internal review and testing of our code, which we are reporting as CVE-2024-22024,” an Ivanti article reads.

However, watchTowr claims its researchers were the first to bring Ivanti’s attention to the bug on February 2, publishing screenshots of the emails exchanged between it and Ivanti as proof.

Commenting on the above excerpt from Ivanti’s advisory, watchTowr said: “Today, Friday February 9, 2024, we are pleased to see that Ivanti has released an advisory for this vulnerability.

“We did find this comment a little curious, but perhaps we have a new set of colleagues?” It went on to say it was “surprised” about seeing the missing credit, but assumes it was done without malice.

The vulnerability itself, to the delight of admins across the land, isn’t as serious as the others that were disclosed over the past few weeks.

In addition to fewer versions being vulnerable, those that applied the updated mitigation provided on January 31 are automatically protected.

Those who applied the patch to their devices when it became available and completed a factory reset of their device(s) are also protected. There is no evidence to suggest it’s been actively exploited as a zero-day, Ivanti said, although that’s been disputed.

The limited versions impacted by the vulnerability are:

• Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1)

• Ivanti Policy Secure (version 22.5R1.1)

• ZTA (version 22.6R1.3)

A quick recap

Similar to Fortinet recently, Ivanti’s been having a tough time with security of late.

• Ivanti devices hit by wave of exploits for latest security hole
• Ivanti releases patches for VPN zero-days, discloses two more high-severity vulns
• Ivanti and Juniper Networks accused of bending the rules with CVE assignments
• Ivanti zero-day exploits explode as bevy of attackers get in on the act

In mid-January came the first reports of two zero-days in Ivanti’s products being exploited by attackers that were either pro-China or state-sponsored by Beijing.

Since then, Ivanti has continued to work on developing patches in accordance with its staggered schedule, which is to say it’s developing patches for the versions with the most users, and working down from there. In the meantime, it released a mitigation to keep people safe while they wait for patches.

This patching schedule was supposed to conclude on February 19, but in announcing the first patch at the end of January, Ivanti said this has been delayed.

What it also announced alongside the first patch, and it would be funny if it weren’t so serious, was that in fixing the first two zero-days, it found another two vulnerabilities, one of which was also exploited as a zero-day.

Better yet, Ivanti also said attackers had devised workarounds for the mitigation it provided, so it was forced to make a new one and this is still working to the best of our knowledge.

So that’s four big security holes in the space of a few weeks… today’s takes it to five.

The zero-days were under “mass exploitation” status within days, since proof of concept (PoC) code was published before Ivanti could develop patches. It was suspected at the time that 1,700 devices had backdoors implanted in them.

Underlining the severity of the situation, CISA issued its second emergency directive last week instructing federal agencies to disconnect the products entirely. This followed an initial advisory adding the first two zero-days to its “must-patch” list the same day Ivanti disclosed them.

The UK’s NCSC was also prompted into action today, publishing its own advisory urging immediate patches for all five Ivanti vulnerabilities. ®